Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Malicious ESLint Packages Steal Software Registry Login Tokens

Following the compromise of an ESLint maintainer’s account last week, malicious packages that attempted to steal login tokens from the npm software registry were published without authorization.

Following the compromise of an ESLint maintainer’s account last week, malicious packages that attempted to steal login tokens from the npm software registry were published without authorization.

 Originally created by Nicholas Zakas, ESLint is described as an open source “pluggable and configurable linter tool” for identifying and reporting on patterns in JavaScript.

The issue affected version 3.7.2 of the popular package eslint-scope, as well as version 5.0.2 of eslint-config-eslint. The former is a scope analysis library used by older versions of eslint, and the latest versions of babel-eslint and webpack, while the latter is a configuration used internally by the ESLint team.

Both packages were hosted on npm, “the package manager for JavaScript and the world’s largest software registry,” which has faced similar incidents before.

Upon installation, the rogue packages would download and execute code from The code was designed to grab the content of the user’s .npmrc file, which usually contains access tokens for publishing to npm, and send the information to the attacker.

“The script extracts the _authToken from a user’s .npmrc and sends it to histats and statcounter inside the Referer header,” Henry Zhu notes.

Both of the malicious packages were unpublished from npm soon after the issue was discovered. Furthermore, the paste linked in these packages was taken down as well, ESLint explains in a post.

The npm login tokens targeted by the malicious code would not provide the attacker with the user’s npm password, but npm nonetheless decided to revoke possibly impacted tokens. Users too have the option to revoke existing tokens and npm advised them to do so.

“We have now invalidated all npm tokens issued before 2018-07-12 12:30 UTC, eliminating the possibility of stolen tokens being used maliciously,” npm said.

The compromise was apparently possible because the maintainer had reused the same password on multiple accounts and also didn’t have two-factor authentication enabled on their npm account.

To ensure users are no longer at risk, ESLint published eslint-scope version 3.7.3 (with code from version 3.7.1) and eslint-config-eslint version 5.0.3.

The publishing of the updated packages doesn’t resolve the issue for all users, as those who installed the rogue packages would still need to do npm update or equivalent.

Related: Backdoored Module Removed from npm Registry

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...